summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* build: bump LIBVERSIONlibnftnl-1.1.0Florian Westphal2018-05-011-1/+1
| | | | | | AC_INIT version was already bumped in 7693a5e293962, not needed. Signed-off-by: Florian Westphal <fw@strlen.de>
* udata: refuse to put more than UINT8_MAX bytesFlorian Westphal2018-04-291-1/+1
| | | | | | ->len is uint8_t, so we can't handle more than this. Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: objref: do not print idPablo Neira Ayuso2018-04-111-2/+2
| | | | | | | The lookup expression does not do this either, so let's be consistent and remove it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-flowtable-add: do not use nftnl_flowtable_set_array()Pablo Neira Ayuso2018-03-201-1/+1
| | | | | Fixes: 62d6fff78b2c ("src: remove set/get array api") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add nft-ct-helper-{add,get,del}Yang Zheng2018-03-204-1/+436
| | | | | | | | | | | | | | | | | | nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the specified table. Examples: % ./nft-ct-helper-get ip filter <nothing> % ./nft-ct-helper-add ip filter sip-5060 sip udp % ./nft-ct-helper-get ip filter table filter name sip-5060 use 0 [ ct_helper name sip family 2 protocol 17 ] % ./nft-ct-helper-del ip filter sip-5060 % ./nft-ct-helper-get ip filter <nothing> Signed-off-by: Yang Zheng <tomsun.0.7@gmail.com> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove set/get array apiFlorian Westphal2018-03-122-14/+0
| | | | | | one-line wrapper, callers can use nftnl_flowtable_get/set instead. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: support for NFT_CT_{SRC,DST}_{IP,IP6}Pablo Neira Ayuso2018-03-112-3/+15
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: fix parsing for set handle attributesHarsha Sharma2018-03-111-1/+1
| | | | | | | Correct one typo for parsing set handles. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: bump library version to 1.1.0Pablo Neira Ayuso2018-03-061-1/+1
| | | | | | So new nftables doesn't break compilation with old libnftnl versions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: parse new handle attribute for objectsHarsha Sharma2018-03-054-1/+23
| | | | | | | | This patch add code to allocate object handles and delete objects via object handles. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: parse new handle attribute for setsHarsha Sharma2018-03-054-0/+22
| | | | | | | This patch adds code to allocate set handles and delete sets via set handle. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
* src: parse new handle attribute for tablesHarsha Sharma2018-03-054-2/+43
| | | | | | | This patch adds code to parse new handle attribute for tables. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add flowtable regression testPablo Neira Ayuso2018-03-052-0/+85
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: support for flagsPablo Neira Ayuso2018-03-053-3/+23
| | | | | | This new attribute allows you to specify the flowtable flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: allow to specify sizePablo Neira Ayuso2018-03-053-2/+27
| | | | | | This new attribute allows you to specify the flowtable size. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add flow offload expressionPablo Neira Ayuso2018-03-055-0/+202
| | | | | | | This patch adds the new "flow_offload" expression to select what flows are offloaded to an existing flowtable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add flowtable supportPablo Neira Ayuso2018-03-0510-0/+1351
| | | | | | | This patch allows you to add, delete and list flowtable through the existing netlink interface. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: nftnl_set_elems_parse() returns 0 if set is emptyPablo Neira Ayuso2018-02-141-1/+1
| | | | | | | Instead of -1, which results n misleading error propagate to the caller with errno == 0 (success). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-del: fix set deletionPablo Neira Ayuso2018-02-141-9/+24
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: do not call nftnl_batch_is_supported()Pablo Neira Ayuso2018-02-1414-207/+69
| | | | | | | | This is only required by Linux kernel <= 3.16.x, that's too old and at that time nft was very limited in term of features, so let's remove this check from example files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: secpath supportFlorian Westphal2018-01-162-1/+4
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* build: libnftnl 1.0.9 releaselibnftnl-1.0.9Pablo Neira Ayuso2017-12-302-2/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: change char * pointer to constant (const char *)Harsha Sharma2017-12-303-4/+4
| | | | | | | | As the parameter for function is pointer to constant, change it to constant. This fix gcc compilation warning in libnftnl with make check. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix exporting symbols with clangArmin K2017-12-3013-269/+273
| | | | | | | | | | | | | When EXPORT_SYMBOL is located after function definition, clang won't properly export the function, resulting in a library with no symbols when built with clang. Based on libmnl commit dcdb47373a37 ("Move declaration of visibility attributes before definition.") Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1205 Signed-off-by: Armin K <krejzi@email.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* data_reg: calm down compilation warning in nftnl_data_reg_value_json_parse()Pablo Neira Ayuso2017-12-281-3/+4
| | | | | | | | | | | | | | | | | | expr/data_reg.c: In function 'nftnl_data_reg_json_parse': expr/data_reg.c:69:27: warning: '%d' directive writing between 1 and 10 bytes into a region of size 2 [-Wformat-overflow=] sprintf(node_name, "data%d", i); ^~ expr/data_reg.c:69:22: note: directive argument in the range [0, 2147483647] sprintf(node_name, "data%d", i); Buffer overflow is triggerable when reg->len > 396, but len never goes over 128 due to type validation just a bit before. Use snprintf() and make sure buffer is large enough to store the "data256" string. Reported-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* trace: Check return value of mnl_attr_parse_nested()Phil Sutter2017-12-151-1/+2
| | | | | | | | This is done everywhere else as well, so certainly not a bad thing here either. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Don't return garbage in nftnl_set_elems_parse()Phil Sutter2017-12-151-1/+1
| | | | | | | | | This might happen if netlink message is malformed (no nested attributes are present), so treat this as an error and return -1 instead of garbage to caller. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: Avoid reading garbage in nftnl_ruleset_cb()Phil Sutter2017-12-151-5/+5
| | | | | | | | | | If nftnl_ruleset_json_parse() is called with arg == NULL, ctx.data is left uninitialized and will later be used in nftnl_ruleset_cb(). Avoid this by using a C99-style initializer for 'ctx' which sets all omitted fields to zero. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: Avoid returning garbage in nftnl_obj_do_parse()Phil Sutter2017-12-151-1/+1
| | | | | | | | | It may happen that 'perr' variable does not get initialized, so making parameter 'err' point to it in any case is error-prone. Avoid this by initializing 'perr' upon declaration. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* gen: Remove a pointless call to mnl_nlmsg_get_payload()Phil Sutter2017-12-151-2/+2
| | | | | | | | | It is a common idiom in all *_nlmsg_parse() functions, but nftnl_gen_nlmsg_parse() doesn't make use of the data pointer and the compiler probably can't eliminate it since there could be a side-effect. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* data_reg: Add a missing break in nftnl_data_reg_snprintfPhil Sutter2017-12-151-0/+2
| | | | | | | | | The code works fine as-is, but if reg_type == DATA_VALUE && output_format == NFTNL_OUTPUT_XML, we fall through to DATA_CHAIN case and therefore pointlessly check output_format again. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: Introduce nftnl_expr_fprintf()Phil Sutter2017-10-173-0/+19
| | | | | | | | Implement expression printing into a FILE pointer analogous to nftnl_rule_fprintf(). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.0.8 releaselibnftnl-1.0.8Pablo Neira Ayuso2017-10-041-1/+1
| | | | | | | 907a9f8e5a93 ("src: get rid of aliases and compat") already updated LIBVERSION when symbol aliases have been dropped. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: do not nul-terminate internal helper functionsPablo Neira Ayuso2017-10-049-29/+0
| | | | | | | Public API already does this for us, no need to do this again from internal helper functions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: no need to nul-terminate buffer for nftnl_fprintf() callsPablo Neira Ayuso2017-10-048-27/+0
| | | | | | | This function bails out with -1 if we cannot print, and this buffer is internally allocated. No need for this overly deffensive initialization. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: no need to nul-terminate buffer from expression ->snprintf indirectionPablo Neira Ayuso2017-10-0429-87/+0
| | | | | | | ->snprintf() is always called via nftnl_expr_snprintf() wrapper, which is already dealing with this corner case for us. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* buffer: use nftnl_expr_snprintf() from nftnl_buf_expr()Pablo Neira Ayuso2017-10-041-2/+3
| | | | | | | | This helper function deals with no ->snprintf() indirection in expression and safe buffer nul-termination, use it. Fixes: 059b9bf6fb31 ("src: Use nftnl_buf to export XML/JSON rules") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Buffer is null terminated.Varsha Rao2017-09-2744-3/+182
| | | | | | | In _snprintf() functions definition the buffer is null terminated. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Change parameters of SNPRINTF_BUFFER_SIZE macro.Varsha Rao2017-09-2728-389/+403
| | | | | | | | | SNPRINTF_BUFFER_SIZE() macro declaration and definition is changed so that it accepts three arguments ret, remain and offset. Parameters size and len are not required instead parameter remain keeps track of available space in the buffer. Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
* chain: Don't print unset policy value in netlink debugPhil Sutter2017-09-081-5/+13
| | | | | | | | The policy field was printed unconditionally, but if it wasn't set the default value 0 was printed as 'policy drop' which is not correct. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Fix memory leaks detected by ValgrindShyam Saini2017-09-043-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ==11688== HEAP SUMMARY: ==11688== in use at exit: 40 bytes in 1 blocks ==11688== total heap usage: 7 allocs, 6 frees, 220 bytes allocated ==11688== ==11688== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==11688== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11688== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441) ==11688== by 0x40133B: main (nft-chain-add.c:103) ==11688== ==11688== LEAK SUMMARY: ==11688== definitely lost: 40 bytes in 1 blocks ==11688== indirectly lost: 0 bytes in 0 blocks ==11688== possibly lost: 0 bytes in 0 blocks ==11688== still reachable: 0 bytes in 0 blocks ==11688== suppressed: 0 bytes in 0 blocks ==11831== HEAP SUMMARY: ==11831== in use at exit: 40 bytes in 1 blocks ==11831== total heap usage: 7 allocs, 6 frees, 220 bytes allocated ==11831== ==11831== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==11831== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11831== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441) ==11831== by 0x401154: main (nft-chain-del.c:79) ==11831== ==11831== LEAK SUMMARY: ==11831== definitely lost: 40 bytes in 1 blocks ==11831== indirectly lost: 0 bytes in 0 blocks ==11831== possibly lost: 0 bytes in 0 blocks ==11831== still reachable: 0 bytes in 0 blocks ==11831== suppressed: 0 bytes in 0 blocks Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: limit stateful object supportPablo M. Bermudo Garay2017-09-046-2/+259
| | | | | | | This patch adds support for a new type of stateful object: limit. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rt: tcpmss get supportFlorian Westphal2017-08-212-1/+3
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: tcp option set supportFlorian Westphal2017-08-213-6/+38
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: free user dataEric Leblond2017-07-061-0/+2
| | | | | | | | | | | | This was causing a memory leak when using set. Catched by an ASAN run: ==21004==ERROR: LeakSanitizer: detected memory leaks Direct leak of 12 byte(s) in 2 object(s) allocated from: #0 0x4cde58 in malloc (/usr/local/sbin/nft+0x4cde58) #1 0x7ffff79b8c19 in nftnl_set_set_data /home/eric/git/netfilter/libnftnl/src/set.c:179
* ct: rename eventmask to eventFlorian Westphal2017-06-071-1/+1
| | | | | | Pablo suggested this for consistency; ct status isn't named statusmask either. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: ct eventmask supportFlorian Westphal2017-03-162-1/+4
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct helper supportFlorian Westphal2017-03-166-2/+236
| | | | | | | | add support for ct helper objects, these are used to assign helpers to connections, similar to iptables -j CT --set-helper target. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: extend set/get api for u8/u16 typesFlorian Westphal2017-03-163-0/+34
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: exthdr: Display NFT_EXTHDR_F_PRESENT in debug outputPhil Sutter2017-03-131-2/+4
| | | | | | | This allows to assert it in testsuite also. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>